webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence
- Severity:
- Low
Description
When experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that appears restricted to a trusted allow-list can be redirected to HTTP(S) URLs outside the allow-list.
Recommendation
Update the webpack package to the latest compatible version. Followings are version details:
- Affected version(s): >= 5.49.0, < 5.104.0
- Patched version(s): 5.104.0
References
Related Issues
- webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior - CVE-2025-68458
- FUXA has JWT Authentication Bypass via HTTP Referer header spoofing - CVE-2025-69985
- hemmelig allows SSRF Filter bypass via Secret Request functionality - CVE-2025-69206
- Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765 - CVE-2025-66202
- Tags:
- npm
- webpack
Anything's wrong? Let us know Last updated on February 06, 2026